.. /Diskshadow.exe
Star

Diskshadow.exe is a tool that exposes the functionality offered by the volume shadow copy Service (VSS).

Paths:

C:\Windows\System32\diskshadow.exe
C:\Windows\SysWOW64\diskshadow.exe

Resources:

https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/

Acknowledgements:

Jimmy (@bohops)

Detection:

Dump

Execute commands using diskshadow.exe from a prepared diskshadow script.
```
diskshadow.exe /s c:\test\diskshadow.txt
```
Use case
Use diskshadow to exfiltrate data from VSS such as NTDS.dit

Privileges required
User

Operating systems
Windows server

ATT&CK® technique
T1003.003

Execute

Execute commands using diskshadow.exe to spawn child process
```
diskshadow> exec calc.exe
```
Use case
Use diskshadow to bypass defensive counter measures

Privileges required
User

Operating systems
Windows server

ATT&CK® technique
T1202